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(54) Method and apparatus for performing authentication for roaming between different mobile 
communication systems 



(57) A method and apparatus for permitting global 
roaming between two communication networks which 
utilize different authentication schemes. The authenti- 
cation interoperability function (AIF) and method trans- 
late between the authentication schemes of each net- 
work; for example, a triplet-based network and a shared 



secret data (SSD) network. When a user from a network 
that natively uses SSD authentication roams into a tri- 
plet-based network, the authentication interoperability 
function produces triplets from the current SSD. When 
a triplet user roams into an SSD network, the AIF pro- 
duces SSD from the triplet. 
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Description i. , ! v.' v : : ; ; 

Field of the invention - = ■:!;- • n > - 

ot'j'. ? - o .r ■' -.- -\ "■ - ■ ' ; 

[0001] :-..The;present invention-delates toauthenticatron \ 5 
of users in a communication system; and: more particu- t 
larly to the authentication of users in a wireless network ■ 
as the user roams betwsehtwo commrunication systems 
with differing authentication schemes. - v v - 

Description of the Related Art t : ~: . „ - vj 

[0002] There are currently different communication 
standards utilized in the U.S., Europe, and Japan / Th e., , . 
U.S. currently utilizes three major systems, with differing is 
standards. The first system is a time division multiple. _* 
access system (TDMA) and is governed by IS-136, the 
second; system is a code 'division- multiple access (CD-> - 
MA) system igoverned by IS-95, and the third is the Ad- : 
vanced. Mobile Phone System (AMPS). All three com-' w 
municaiion systems use the^lS-^T standard for intersys-vj 
tern messaging, .which idefines the authentication pro- /. 
cedure-; -i: :■<*-... ; - - 1 -.'at:. : 

[0003] .< in TDMA, .users share a frequency band, each 
user's speech -is stored,- compressed and transmitted as . 25 ■ 
a quick packet, using.controlled time slots to distinguish 
thenvhence;the> phrase "timejdivision^'At the receiver, 
the packet, is decompressed. ln ther.lS-1 36 protocol, 
three users share a given channel. -r .r 
[0004], Traditional systems- transmit a single^ strong 30 
signal, perhaps intermittently, on a narrow band. In con- 
trast, -CDMA works in reverse, sending a weak but very 
broad band signal. A unique code "spreads" the signal 
across the wide area of the spectrum (hence : the alter- 
native name - spread specttum), and the receiver uses . 35 
the same code to recover the signal from the inoise.. A - 
very- robust- and secure channel can be established, 
even for an extremely low-power signal - theoretically, 
the*- signal, can- be -.weaker than the noise floor. Further, 
by using different codes,-a number of different channels 40 
can simultaneously: share the same spectrum, withcut ■■ 
interfering with .each othen % 
[0005] The AMPS system is an analog system. 
[0006] iv'iEurcperutilizes the Global System. for Mobiles:!' 
(GSM) f networks as defined by the European Telecom- 45 
munications Standard Institute (ETSI). GSM now has 
the support of 80 operators ill qyel 40 count riesJriclUd-5 
ing countries outside of Europe. GSM is a TDMA stand- 
ard, with 8 users per channel. The speech is taken irV20'', 
msec windows, which are sampled, processed, and 50 
compressed. . -.r.e^v -l - ^ ■ ■' - 

[0007] GSM. is transmitted, en ■; a 900 MHz carrier. 
There is an alternative system operating at 1.8 GHz 
(DCS 1800), providing additional capacity, and is often 
viewed as.more of a personal communication system ss 
(PCS) than a cellular system. Ina similar way, the U.S. 
has also implemented DCS-1 900, another GSM system 
operating, on the different carrier of 1 .9 GHz. 
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[0008]. Personal Digital Cellular (PDC) is the Japa- 
nese ^standard, previously ' known as-JDC (Japanese 
Digital Cellular). A.TDMA standard similar to the U.S. 
IS-54 protocol, PDC is not in use anywhere e!se in the 
world. ■ .. \ .:■ .!-'» <• ■ , . j ^ . 

[0009] The GSM network utilizes a user identification 
module (UIM) which is- a credit card size card which is 
owned : by a subscriber, who slides the UIM.into any 
GSM handset to transform it 1 into "their" phone. It will 
ring when their unique phone, number is dialed, calls 
made will be billed to their account; all options and serv- 
ices connect; voice- mail can be connected and so on.: 
People with different UIMs can share one "physical" 
handset, turning it into' several' Virtual" handsets, one 
per UIM. i j ' 

[0010] Similar to the U.S. systems, the GSM network 
also permits "roaming", by which different network op-, 
erators agree* to recognize, (and accept) subscribers 
from other networks,. as .phones (of UIMs) move: So/ 
British subscribers can-drive through -France or Germa- 
ny and use their GSM phone-to make andsreceive calls 
(on their same UK number), with as much ease as an 1 ; 
American businessman can use a phone in Boston, Mi- 
ami, or Seattle,: within any one of the^U.S. systems. 
[0011] Regardless of; the telephone communication 
system, when a subscriberplaces a call; his or her tel- 
ephone indicates to the service-provider the identity of 
the caller for billing purposes. The service provider must 
then "authenticate" the identity of the caller-in. order to; 
ensure that he or she" is an authorized user. 
[0012] The GSM authentication scheme is illustrated 
in prior art Figures 1 and 2: This authentication scheme 
includes.a home location :register>.(HLiR) 10/ a=visiting 
location register (VLR) 20, and a mobile terminal (MT) 
30,: which includes a UIM 32. When the mobile terminal 
30 places.a call, a request' is senMo l the" home location 
register; 10, which' generates an authentication, triplet 
(RAND,* SRES, K c ) from :a root key K^The triplet in- 
cludes a random number RAND, a signed response 
SRES, and a session key ; K c c : The -triplet is provided to 
the visiting location register 20, which passes-the ran- 
domlnumber RAND to the mobile terminal 30. The UIM 
32-receives the random number RAND, . and utilizinglhe ■ 
root key-Kj, the random number RAND/and an algorithm 
A3, calculates a signed response SRES. The UIM 32 
also . utilizes the* root key-Kj arid the random number 
RAND, ar.r! an algorithm; A8 to calculate the session key. 
K c . ■ , ■ . i • - - 

[0013] The SRES, ; calculated by the UIM 32, is re- 
- turned, to the, visiting location register 20, which com-i 
pares this value f rom the SRES received from the home 
location register 10,:. in-order to authenticate the' sub- 
scriber using the mobile terminal 30. 
[0014] .In the GSM "chahenge/response" authentica- 
tion system, the visiting location register 20 never re-- 
ceives the root key Kj being held by the UIM 32 and the 
home location register 10.- The VLR 20 also does not 
need to know.the authentication algorithms used by the' 



2 



BNSOOOin' <EP 09S57R3A? I > 



EP 0 955 783 A2 



HLR 10 and UIM 32. Also, .in: the; GSM authentication 
scheme, the triplet roust, be.sent forevery phone call by 
the home location register 1 0. ; R AND is-1 28' bits, SRES 
is 32bits. and K c is 64 bits, which is 224 bits of data fop 
each request, which is a significant data load. 
[0015]-.' The.lS-41 authentication scheme, used uvU, J - 
S. TDMA, CDMA and AMPS systems, is illustrated in 
prior art Figures 3(a), .3(b) and 4. iThis^- authentication 
scheme involves a home iocationlregister (HLR):40;'a 
visiting location registen(VLR) 50, and a mobile terminal 
(MT)60, which includes^ UIM-62.. The root key, known " 
as the A_key, is stored only in -the HLR 40 ahdthe UIM 
62; There is a-secondary key, known, as Shared- Secret 
Data SSD, which is sent to the VLR 50 during roaming. 
SSD is generated from the A_key and a random seed 
RANDSSD using a cryptographic algdrithnrv as illustrate - 
ed in. Figure 3(a). In the IS-41 networkj this algorithm is' 
CAVE (Cellular Authentication and' Voice Encryption). 
When the MT 60 roams to a- visiting network, the VLR 
50 sends an authentication request to the HLR 40,: which 
responds by sending that subscriber's SSD. : : v ■ 
[0016] Once the VbR 50 has the SSD, it can authen- 
ticate theMT 30 independently of . the' HLR 40,': as illus- 
trated .in Figure 3(b). The^VLR 50 sends 7 a random 
number RAND to the UIM 62 via the MT 60, and the JJIM 
62 calculates the authentication response :(AUTHR) us-; 
ing RAND : and.the stored value of SSD inUlM 62; AU- 
THR is returned to the-VLR'SOi .which checks it against 
the value of AUTHR that it has independently calculated?' 
in the same manner; If the '.two-. AUTHR values match, . 
the, MT. 60 is declared. valid: . ; ^ .: - v 
[0017] This scheme .is efficient in .two ways. One, the 
amount of data passed over the long-distance signaling 
link between the- HLR- 40 and the' VLR 50:is very! small, 
(the 128-biLSSD), and one such transfer- is.sufficient for . 
the entire: registration ;pertod. Two; the VLR 50 may au- 
thenticate the-juser. before assigning a traffic channel 
which' is possible because RAfsJDxan be generated lo-' 
cally and need not be generated by the HLR 40 ,f. - 
[0018] To generate encryption session keys, the inter- 
nal-state of the CAVE algorithm is preserved after the 
authentication calculation! Several levels of encryption : 
keys are then calculated using.the post-authentication 
state of CAVE and the current value of . SSD, as illustrat- 
ed in Fig. 4. * ■.- . -j* :■. . 
[0019] . The goal of theJntejnational Mobile Telecom- 
munications - 2000 (I MT-2000) standards development, 
effort is to provide a global telecommunications system 
which will support a phone subscription anywhere in. the" 
world and will also permit a subscriber to "roam global- 
ly". ln.>order to realize .this system; interfaces -must be 
provided between the various systems (GSM, IS-41, 
PDC : etc.) which permit subscribers from different sys- 
tems to "roam" into other systems; Currently such "glo- 
bal" roaming' is unavailable. The InternationahTelecom- 
munication Union (ITU) is working to developstandards 
which allow global roaming which will be accomplished 
with a standardized network-to-network interface (NNt) 



10 



15 



and UIM-MT interface, which must be capable of pass- 
ing messages which permit proper authentication of the 
identity of each caller. r_ h • 

[0020] Several types of global roaming are permitted 
including; removable UIMs.i'multi-mode'-.terminals (ter- 
minals that can communicate with more than one air in- 
terface standard), and ■ download able;UI Ms. -(terminals 
which, receive >service profile informationovertrie air). 
All three roaming scenarios are* equivalent -for ;the pur- 
poses of the present invention. What matters is that a 
UIM from one network is visitinganetwork<with a, differ- 
ent authentication scheme, and the UIM must be au- 
thenticated using the security architecture of' the local 
networks • ? -. . . ■ ■ - 1 , . ■ -i ■ .? 

Summary QfThe Invention y ; ■ 



J--:- 



20. 



251 



30 



35. 



40 
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[0021] - The present invention addresses the authentk " 
cation problem by providing ah authentication) interop-- 
erability function (AIF) that permits the authentication of . 
users.as they roam ; between networks that use different " 
authentication schemes: More specifically, interopera- 
bility is possible if one network uses stored authentica-'.' 
tion trip lets, and a second network uses, shared second--. : 
' arykeys, also known.as shared secret data (SSD).^- &~ 
[0022]; Ah- authentication .interoperability function- 
(AIF) translates between the authentication schemesroff 
each family cof communication networks: (IS-41 v GSM,: 
PDC). The AIF may be-tocated at the HLR (Home Lo- u 
cation Register) or AC (Authentication Center) of the . 
home network, the VLR (Visited location Register) of 
the visited network, or as a: stand -alone inte working : 
function (IWF) located elsewhere in the network-. 
[0023] When a user from a network that natively uses 
SSD- authentication roams into:a tripleUbased network,, 
the AJEiwill produce triplets from the current ;SSD* When-. i' 
a triplet user ;roams -into an SSD network, -the AIF wilt 
produce -SSD from, triplet (s);.' , - -■- 

[0024] The AIF of the present application preserves 
the current authentication. architecture inreach cqmmu-t j 
nication network family (GSM,. IS-41, RDG), concent • 
trates the changes which make the .two communication, i 
networks compatible to the AIR: the, Network-to- Network^ 
Interface (NNI),:andthe User Identity; Module (-UIM), and' .; 
preserves the current level of security in each system; V; 



Brief Description Of The Drawings ^ 
[0025] 



r ''I. 
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Figure 1 is a block diagram illustrating 1 the 'basic 
components of the prior art gJobal system for mo- 
biles (GSM) network; : . <\:va : - - 



I t ■ c . h 
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Figure 2. is a prior art diagram of messages trans ; 
mitted in. the GSM network;' :? Wu.!-- 



::.v!ns'-i"r-^ <• :\ ■ 
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Figures 3(a)and3(b)are.block f diagramsillustrating, 
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the basic components of ihe prior art IS-41 network; 

Figure 4 illustrates the messages transmitted in the 
prior art IS-41 network illustrated in Figure 3; 

5 

■ Figured is a block diagram of a generic commuhi- . 

cation system; V -- : ' . ; ■■ : - ■ ' 

- : . t-i V- . ■. • ' 

Figure 6 is a block diagram of a generic mobile tel- 
ecommunication system; 10 

Figure 7 is a block diagram illustrating how an IS- 
"41 user roams into a GSM : network; - ■ " ' 

Figure 8 illustrates how a GSM user roams into an ' * 5 
S' IS-41 < network; ' = 

^Figure; 9. illustrates the roaming IS-41 user in more ' 
>detat!p* ■'■ 

.:■ ' ' i *'. 1 "■ : - ■■ 20 . 

■ Figure 10 illustrates the roaming GSM user in mors 

■ ^detail; and : v - - ■■• 

■■■■ Figure. 11 illustrates^ general network interface- 

. ; 25' 

Detailed Description Of The Invention ' 

[0026) The present invention-' discloses: how to au- 
thenticate a global. roameMn lMT-2000: An authentica-' 
tion interoperability function is provided that integrates ■ 30 
the 'authentication architectures of GSM MAP and'IS-41 
MAP. In particular, an authentication interoperability ' 
function (AIF) translates - between the authentication 
schemes of the two families (for example, tS-41 and-" 
GSM). When" an IS.-41 user, roams into a GSM network, 35 
the AIF produces triplets from the current SSD. Whena 
GSM user roams into' an IS-41 network; the AIF produc- 
es" SSD ; f-r6m.a>single triplet. • 
[G027] ■'"■Figure 5 illustrates a basic communication sys- 
tem; A terminal "02 communicates with a network 104, ' 40 
which- is;connected to an authentication' center- 106. The 
network 1 04 is connected to a second network 114 via 
a Network-to-Network interface (NNI) 222. The network 
1 1 4 is connected to a terminal 116 and an authentication 
center -11 2.- * • • 4 $ 
[0028] A basic mobile communication system is illus- 
trated in Figure 6. 

[0029] In the embodiment illustrated in Figure 6, the 
home location register (HLR) 302 and visiting location 
register (VLR) 304. belong-to the first network 218 and so-. 
the home location register (HLR) 306 and visiting loca- 
tion register (VLR)' 308 belong to the- second network 
220. When the first network arid the second network uti- 
lize different authentication schemes for authenticating 
the user of-mobile terminal 310 with' UIM 312, a prpblefn 55 
arises regarding how the user is authenticated. The 
present fri vent ion -^solves, this problerrvby providing an 
authentication interoperability function, which translates 
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between the ; authentication .schemes of the two net- 
works. The^authentication interoperability function dis- 
closed in the, present application describes how to au- 
thenticate .a "ylobar.roamer, such as within IMT-2000. 
This authentication interoperability function integrates 
the authentication architectureslof two networks which 
utilize different authentication schemes, such as the 
GSM network and the IS-41 network. A more detailed 
illustration of. the network elements utilized in the GSM> 
network and the IS-41 network is illustrated in Figures 
7 and 8. , .- . : ■ ■ ■ 

[0030] - Figure 7 illustrates that the first network 21 8 is 
a GSM network. This network;includes a home. location 
register 302, a visiting location register 304, and a mo- 
bile terminal 31 0 with UIM 31 2. The second network 220 
is an IS-41 network which includes a home location reg- 
ister 306, a visiting location register 308, and a mobile, 
terminal 311 with UIM 312. The authentication interop- 
erability functional 4 'is utilized when the user of UIM 
312.Toams to another system, such-- as the GSM net- 
work, as illustrated in Figured. ■ ,i ■> - . 
[0031] Figure ;8 illustrates the converse situation, 
where a user from the GSM. network roams to ihe IS-41 
network. ''" ' . 7 ' 

IS-41 User Roaming in a GSM Network 'J 

[0032]." When an IS-41 user roams to a GSM network/; 
the AIF- 314 generates ariv authentication triplet- from 
SSD. AsJUustrated in Figure'9 t the HLR 306 sends the 
currently stored: SSD to.;the' AIF £14, which uses the! 
SSD 4o generate a triplet, ^hich* is sent to VLR t 304.' 
Then; the VLR 304 authenticates. the UIM 312 by send-r 
ing RAND to the UIM 31 2 via the MT 310, The UIM 312 
generates SRES.and K b with RAND and SSD and sends 
SRES and K c to the MX 310. The.MT 310 sends SRES 
to- the VCR 304, which compares -this SRES with'the- 
SRES received from the AIF, 31 4 to authenticate the us- 
er. The GSM VLR 304 sends a request for triplets across 
the Network-to-Network Interface (NNI) 222 to the AIF 
31.4' via a registration^ notification message (NNI REG-. 
NOT). The AIF 314 retrieves the user's SSD from 1 the 
IS-41 HLR 306 and uses it to calculate triplets (RAND, 
SRES,- K c ). The.trtplets are sent to the GSM VLR 304 
via the response message NNI REGNOT. The AIF 314 
is equipped with CAVE (or the current authentication al- 
gorithm in the IS-41 network's Common Cryptographic 
Algorithms (CCA)), which will be -used' to generate the 
triplets. Due to the triplet concept, the GSM architecture 
does not need to know the authentication algorithm; the 
algorithm only resides in the UIM 312 and the IS-41 HLR 
306. In other words, the GSM VLfri 304 does not need 
to have CAVE. 

[0033] . The size of the challenge and response param- 
eters differ between the IS-41 and the GSM networks. 
To generate a GSM authentication pair from an IS-41 
SSD, the size conversion is performed at the AIF 314: 
in particular, the AIF 314 generates a 32-bit RAND, cal- 
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culates an 1 8-bit authentication response ;AUTHR ; usr 
ing the CAVE algorithm,_using the 32-bit RAND, a 64-bit v- 
SSD_A, an identity.* value, and the authentication data^. 
AUTHlDATA. The AIF? 31 4 also generates a 128-bit 
RAND from the 32-bit RAND. and. generates -a 32-bit" $ 
SRES from the 1 8-bit AUTH R by padding on the left with 
zeros or. dummy values, p • : 

[0034]. - Normally, during authentication of an JS-41; call 
origination; the dialed digits-are used as the authentica- 
tion data AUTHLDATA, .which ■ provides protection. 10 
against replay of a global challenge. This is not done, in 
the GSM network because the triplet. might be calculat 1 
ed in advance, when the dialed digits are not known. In - 
addition, a triplet is only .used once; -therefore there ;is 
less danger of;a repiay attack. Therefore,' when gener- is 
ating a GSM triplet from SSD, AUTHLDATA is set-to in- : 
ternational mobile subscriber identity (IMSI) as it is durr 
ing^a unique challenge. . - = . - " - 

[0035] . The. third parameter of the GSM triplet, after - 
RAND and SRES - is the ciphering key K c .-CMEAiXEY- : ; zo. 
the 64-bit root encryption and voice privacy key, is used 
for this purpose-: ,CMEA^KEY is. generated by the AIF 
314 as defined in the IS-41 CGA as: 
K c64 =CMEA_KEY64=CAVE(SSD_B, AUTH_STATE), ; 
where AUTH_STATE is the state of the internal registers 25 
of CAVE after the calculation of therauthentication. re-.;], 
sponse. 

[0036] . - Once K c is determined, the triplet is complete. ; 
and is sent to the GSM VLR 304 via the IS-41 HLR (306) . 
and AIF 31.4 in the NN I REGNOT response message as: - 30 
NNi : REGNOT[RAND. 1 28. , .'SRES 3 2 l K c64 ]^ . 
[0037] .Once the GSM.VLR 304- receives the triplet, 
authentication of 'the IS-41 : phone proceeds as usual, 
except that the UIM 31 2 .calculates the authentication 
parameters using CAVE. This.process is transparent to' 35 
the.GSM netwdrk ; 218 and is.'conventionaliy performed 
in accordance With the standards set forth by ETSI, such 
that ;the- following messages- are -created and ex-' 
changed: ; • .•*, . ■ ; * -. ■ 

VLR 304. .-»MT- 310? RIL3-*MM AUT-REQ 
[RAND 128 ]; ■ 



■ MT 310 ^UIM 312:, UIM AUTHREQ [RAND 128 J ; 
• UIM 312: extracts RAND 32 from RAND 128 ; . 
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MT 310:. stores K c for ciphering; ■ , > ■: r 

>,MT-310.,-> VLR 304: RIL3-MM AUJrRESP 
[SRES 32 ].- . .'.v, r ■ : ... 

[0038] -The UIM 312 .use the 1 28-bit authentication 
challenge (RAND 12 a) as a parameter and provides a 
32-bit authentication response (SRES) and a 64-bit ci- 
phering key (K c y.rj, . ■ • -% . ■ ■• - : • c •- 

GSM User Roaming in an IS-41 Network . 

■ : . .!].,•■- ... ■! ' , r o.c: - 

[0039] When a GSM user roams in an ISt41 network, 
the goal is to create Shared Secret Data(SSD) between 
the.-IS-41r : VLR 308 and the. UIM 312,within the mobile 
terminal 310. As illustrated in more detail in Figure. 10, 
two triplets are sent from the HLR 302 to the AIF 314, 
which uses them to generate SSD update parameters, 
which are sent to the VLR 308. The VLR 308 sends 
RAN DGSM_A and RANDGSM_B to the UIM 31 2 via the 
MT 311. The UIM 312 uses RANDGSM^A and 
RANDGSM_B to calculate K CA and K CB .which^are 
stored as the new value of SSD. Thereafter, for each 
system access, the VLR 308 authenticates the, UIM 312 
independently of the HLR 302, 

[0040] using SSD, according . to. the authentication., 
procedure defined in IS-41. 

[0041] The idea_is.;to use triplets. to generate thfe pa- 
rameters required to perform an SSD update. The result , 
is thatithe IS-41 VLR 308 shares a key. (SSD) with; the 
UIM 312 of the roaming GSM user. Subsequently- fqr J 
each system access, the key can be used with any au- 
thentication algorithm common* between the- UIM .312 
andthe.lS-41 VLR 308.-, -,-.„., . \ . 

[0042] - Upon detecting a registration attempt from a' 
GSM userthe: IS-41 ..VLR 308 alerts the AIF 314 with a 
registration notification (NNI REGNGT) message. The. 
AIF 314 then requests two triplets from the-GSIvi HLR 
302 of the GSM user. This process is transparent to the 
GSM network 218 and is donein accordance , with the. 
standards set forth by ETSI, such that the following mes- 
sages are created by. the. HLR 302' and exchanged with 
the AIF 314: '■■< .-:■■■!■>. 

HLR 302; Generate 128-bit RANDGSM_A, 
RANDGSM B ,> ■ > 



UIM .312: AUTHR 18 =CAVE (RAND 32 ; SSDiA 64 , 
[Identity], AUTH_D ATA); ' ■-' 



r.'i 



SO 



UIM 312: SRES 32 =AUTHR 18 padded on -the left 0 
or random dummy bits;. . . 

UIM 312: K C =CMEAJ<EY 64 =CAVE(SSD__B, 
AUTH_STATE) ; ■ - 55 

UIM 312 -4 MT 310: UIM authreq [SRES 32 ; K^]-; . 



HLR 302: K_ A=A8 (RANDGSM^A, K.) ; 



HLR 302: K C _B=A8(RANDGSM_B, KjB ; 

HLR 302 AIF 314: (RANDGSM.A; SRES, K C _A), 
(RANDGSM_B. SRES.rK^B) ; 

[0043] ■ The AIF 314 sends. the SSD Update parame- 
ters back to, the lSr4l VLR 308-in.the response to .the 
registration notification message -(NNI REGNOT)^, -■ 



S 
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AIF .314: Ne.wSSDinfcte, (K^A, K^B) ; 



: AIF 3.14 -t.V-LP 308: NNi regnot [RANDGSM„A, 
" RANDGSM_B, NewS'SDInfoj, " " " ' ' • ' 

NewSSDlnfo has , two parts: NewSSD A=K C _A, 
and.NewSSD_B-K._B, ... ',- . . 

[0044] The IS-41 VLR 308 performs a modified SSD 
Update procedure with the,MJ 310 (via. the. IS-41 AU- 
THDIR message: note that.this requires the air interface 
to parry the'1 28-bit RANDGSM parameters) after insert- 
ing the. ^iararpptetrs RANDU and AUJHU. These two pa- 
rar^ieiers are uaed,du'ring the unique challenge which is 
performed aftef'the .$SD Update,. Note that this, may re- 
quire changes to l£>-41 to allow for the larger .(128-bit) 
RANDGSM parameters to be passed. The following 
messages are then created and exchanged. 

VLR 308: Gen e rat e/andom .challenge. RANDU 

VLR 308: AUTHU=C AVE (RANDU, NewSSb_A, 
; ., [Identity^ : 

t . v VLp ' '308 V : MT 310; ,SSD_UPDATE_GSM 
[RANDGSM_A, RANDGSM_B]. 

[0045] The MT 310, passes the para meters. to the UIM 
312 (in the proposed message UIM UpdatessD); which 
calculates the new. SSD: 



MT 310 . UIM 312: UIM UpdateSSD 
[RANDGSM^A, f=tANDGSM_B] ; 



UIM. 312: SSD_A=A8(RANDGSM_A, K:); 
Ul M 312:' SSD_B=A£)RANDGSM_b,' k,) ;'. 
UIM 312: NewSSD=(SSD_A, SSD_B) ; 



1 T *" *" ' 



[0046] , Shared secret.data. now exists between the iS- 
41 .VLR '308 and the GSM UIM. 31 2. For the rest of the 
registration .period,. . the JUIM 31.2 uses..SSD_A rather 
than Kj.tp calculate authentication parameters.. Similarly, 
ciphering keys are calculated with jhe, secret jSSD B. 



v 



A Common Authentication. Algorithm 



[0047] There is now a secret key shared .bet ween the 
IS-41 VLR 308 and the UIM 31 2. in order for the VLR 
308 to perform authentication and session key genera- 
tion with the mobile terminal 31 0, there also needs to be 
a common cryptographic algorithm shared between the 
two entities. This algorithm could be CAVE, A3/A8, or 
any .other authentication or, key generation algorithm. 
[0048] . If the' changes .are. tp. be isolated in the UIM 
312, CAVEis inserted "into the UIM 312 along with, the 
a!gorithrri,A3, When in native ,G.SM network, A3 is used 



with the, root-key K.. When. roaming into an IS-41 net- 
work^ CAVEJs used ,with.the SSD as described above. . 
[0049] , Jf the i .changes .are to be isolated in the IS-41 
network! the algorithm A3 is included in .the IS-41 net- 
5 , work. The" IS-41 VLR 308 would then' use CAVE to au- % 
thenticate native IS-41 phones, and A3 to authenticate * 
GSM roamers. . 



10. 



-y 



Interoperabilit y with PDC 



[0050] The Japanese PDC signaling MAP uses an au- 
thentication scheme Jhatjs very close to a triplet-based 
architecture; When roaming users register in a visited , 
network, there are two versions of the Inter-Network Au 7 . 

7£ thentication Information Retrieval, Message which is 
sent from the home network to the visited network. One . 
version simply sends .to the Subscriber Authentication 
Key. The other version sends.the Authentication Infor- 
mation List, which.contains the random number, signed, . 

20 response, and the ciphering .key, -i. e. / it is an authenti- . ' 
cation .triplet. Therefore,, PDC is. equivalent to GSM in 
terms of inte/operabiiity with"an SSD-based network like 
IS-41 . Since both PDC and GSM networks use a triplet- . 
based architecture, ..interworking therebetween is rela- 

2S tively easy. However, there js an incompatibility , issue 
regarding the.^sizapf the signed response parameter, 
which is 32 bits in GSM and 64 bits in PDC. One solution r 
is to simply.disregard 32, bits of the response. returned 
by the PDC UIM when;a.pDC user roams to a GSM".net- . 

30 work. T^iis provides 32 bitsJess securitv.than PDC. users . 
are. accustomed to. . , 

. - " '_" : ■ ■ ; . . " !; = . 

Security . ...... ^ 

35 [0051] , The authentication, interoperability ^function- , 
discussed above is designed to preserve t the leye! pf se- 
curity currently enjoyed by each system, Jn the. example 
above, the GSM and. I S,-41 networks.' .. . 
[0052], IS-41 users f are currently -authenticated with , 

40, 32-b;l challenges and 184t>it responses. The level of se-. ;jV . 
curity .does not change .when, these parameters:are em-, 
bedded in larger size .fields', within a GSM triplet. , 
[0053]' GSM users^are .currently authenticated with . 
128 r bit challenges and 32-bit responses.* Authentication-),- 

45 of GSM users while roaming in an IS-41, network is done 
with, IS-41 size security parameters, which ; have fewer n> 
bits of real security (18-bit AUT H R . vs 32-bit . S P.fe S) . , 
However, the security of GSM users at home within their 
own system is not lessened. In addition, the security of 

50. the root key Kj is not compromised when roaming jn an 
IS-41 network because: a) SSD_A is used in place of Kj 
and b) the. difficulty, of walking.back to the root key from 
a challenge/response pair in.lS.-4,1. is (size of key - size 
of AUTHR).=:.64-18 = 46 bits, which is more secure than 

5£ - in GSM where each challenge-response pair observed 
shrinks .the keyspace to. 64-32 = ; 32 bits. ■ . , 
[0054] ^ One important impact Jon .IS-41 . users is. that 
there is no, way to do. SSD .Update when roaming in a 
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GSM network! If the cu r rent SSD-is' comprdmised'or cof- 
rupt", there is 'nothing that can 'be' : a I on'e' , Uritirth& user 
roams back into an- IS-41 network. "Additionally, ,this im- 
plies thatthe user canriot activate the sukseripjtiori_(ac- : 
cess : the network for the first time) while roarrting in a 5 
GSM network, because ho SSD is yet available. r " 1 ''' , 
[0055] GSM triplets are currently used only for a sin- 
gle call. In this authentication interoperability function, 
when a GSM user roams into a I&-41 'network, -a single ■ ' 
triplet is converted into SSD_A which persists for many 10 
calls. - "•• • ' "° ■ • - '° ; 

[0056] ^"However, SSD_A is 64 bits long, which pro- 
vides twice the bits of security as the 32-bit SRES in a - 
triplet. The levei of security cannot be 'more than 64' bits ~ ' 
anyway, since everything is generatSl from trie' 64-bit ' '5 
root key Kj. On the other 'hand, authentication, is now""' 
dependent on AS, which is" used to' generate SSDll A. 
The security implications of this are hot known. 
[0057]- Regarding "export regulations, the ciphering 
keys described in this application are 64- bit'" numbers!"*'" 1 ^ 
However, this can ai ways' be' lessened to conform 1b ""' 
government restrictions: In " fact, the UIM AUTHREQ 1 
messagecould be designed with an additional 'param- • 
eter which dictates the size of the 'ciphering key. This 
way, longer keyfe can be used 1 domestically while still v 25 
providing the capability to roarn irVto global markets that 
have shorter key sizes. : • ~ ' "\ ' ' V 

[0058] Although' the descr ! ipti6n L above 1 1 discusses 
roamin'g between the GSM 1 network a fid the IS-41 ne't'-' ' 
work; the AIF 314' of the present invention facilitates 30' 
communication between any stored challerige/re- 
sponse pair authentication network and any primary 
key/shared secondary key authentication network. In 
particular, as illustrated in Figure 11, the first network 
218 includes an 'authentication 1 data ba'se 402 and an 35 
intermediary 404: Similarly, the second network 220 in- 
cludes an authehticatioh'-database 406'ahd an int'errhe- 
diary 408. The AIF 31 4 of the presenrinve'htion enables \ 
user 41 0/to roam between tneiifsf network 2i 8 and ; tfle^'; 
second network 220V as descriBed abo\/§. 'Xdditiona'llyr : -*d 
although Figures'7-11 illustrate t'rie A1F ; 314 as a siaftd- 
alone network entity, the functions impfemenfed by"\he 
AIF 31 4' may be built irit6 i a : ny > one J or more "of the f-flfFf 
302; VLR 364, HLR 306, : o"r VLR ^of Figures 7-10 or 
any one :; or more of the authentication data base 402, 
intermediary 404, authentication database '406,* or 'in-' ' 
termediary 408 of Figure 11. f ' 



t ■ i 



Claims 



.1 



' so 



1. An authentication interoperability function for faci I i- * 
tating authentication' 6f a user from a first network / ' 
when the user is in a second network, having a dif- 
feVentauthenticatidh'scheme from tine first network, 55 
said authent ication^inte rope rability function receiv-' " 
ing a challenge/response 1 ' pair from ah authentica- 
tibn'clata base in the first network/creatirig a sec- 1 



ondary key from the challenge/response pair," and 
sending the secondary key to an intermediary in the 
second network - ' to authenticate "the user from' the 
first network. - ' '" ■ '' ' - ' 

2. Th e a u th e hticat i on i h te rope rabi i ity f u net ion of c la i m 
1 , wherein the user is a mobile telephone s'ubscrib- 



3. 



er. 



'*> . 't !■ 



"The authentication interoperability function of cjaim 
T, wherein' the first rietwbrk is a Global System for 1 
Mobiles (GSM) network) the- second network is an ' 
tS-41 network, ihe intermediary's a visiting location" 
register in ttie'fS-41 network/aridtheyuthehticatibn 
dati base is a home location registerin"the &SM ? 

Network. "■ \ - *■ - . • ' 



4. The authentication-interoperability function of claim 
3, wherejn the authentication interoperability func- 
tion is colocated with the home location register in 
the GSM network. 

5. The authentication interoperability function of claim 
3 : wherein the authentication interoperability func- 
tion is colocated with the visiting location registeHn 
the IS-41 network." • ' " ' *" L r ' 

6. The authehticatiohJnteVoperability fuhctb'n of claim 
3 : wherein the authentication interoperability, func- 
tion is a stand alone network entity. ' ' ' 

7. The authentication interoperability function of claim 
1 , wherein an authentication scheme of the first net- 
work is a store challenge/response pair authentica- 
tion scheme arid an authentication scheme of.the 
second network is a primary key/shared secondary 
key authentication scheme, ~ 

8. An authentication interoperability^ unction for facili- 
■ tating authentication of a user from a first network 

; when the user is in the second network, having a v 
different authehticatibn , schehrte s "from' the first* net- 
work, said authentication interoperability function" 
receiving ' a J secondary key from an authentication 
data base from the first network! creating a ch'af- ' 
lenge/response pair from the secondary key, and t 
sendingthe ch*a 1 1 e'h ge/r es pon se J pa t r to air iht'emS e- - 
diary in the second networkto authenticate the user 
fidm the first network. ' " " ' 

.' - - - , 4 • ■ .. *v- .s ~ ■ • '- ■ 

9. The authentication interoperability function of claim " 
8\ wherein the user is aniobile telephone subscrib- 

' or. ' ' ■ ' • " - : - ; f: ~ - 



1 0. The authentication interopGrabilify function of claim 
'iB, wherein the first "network is ah- iS-41 ~rietwqrk-,';the'- ■ 
second" network is 1 a Global System for, Mobiles : 
"'(GSM) network, theMnterrriediary is a visiting' loca- ' 
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tion register in Jhe ,GSM network,, and the authenti- 
cation data-base.is a home location register in the 
IS -41 network. / 



work -when . the user. is jR a-second network, having 
a different authentication-scheme .from the first net- 
work, -said method^omprisihg the/steps- of: •■■i • 



11. ?The authenticatipn interoperability/ unction of claim 
10, wherein the authentication interoparabilityfunc- 
tion is colocated with the home location register in 
the.JS-43; network.- : ; 

..•:.\';-- 

12. The authentication interoperability function of claim 
10, wherein tneauthentication interoperability func- 
tion is colocated with .the^isiting. location register in 
the GSM network. 

13. The authentication interoperabt!ity ; f unction ofclaim 
10, wherein the authentication interoperability func- 
tion^ a stand-alone network entity. ,i- ■ . 

14. -The authentication interoperability function ofclaim 
8,- wherein an authentication scheme of thefirst nel- 
. work is a:primary : . key/shared secondary key au- 
thentication scheme; and an authentication scheme 

of the second network is a stored challenge/re- 
sponse pair authentication scheme. 

. t'V -i-.i- - -i* _ - : ] * 1. t". 

15. A method of authenticating-a.user from a first net- 
work, when the/.user is ii?v:a;second network, having 
a different authentication scheme from the first net- 
work, said method comprising the steps of: 

receiving a challenge/response pair from an 
, authentication. data. base in the first network^ 

: generating a key from the challenge/response 
pair; and . 

authenticating the user based on the key. 

16. The method otclaim .15, wherein the key is a sec- 
ondary key generated from a primary key. 



: j j. 



17. , The -method, of claifn,1;5, wherein the user is a mo- 
bile telephone subscriber? -rrvv ^ ■ 



18. The method of claim 15, wherein the first network 
is a Global System for Mobiles (GSM) .network, the 
second networkiiS/an JS-41 network, and.'the au- 
thentication data base is a home location register in 
the GSM network. 

19. The method of claim. ISKwhereinjan. authentication 
scheme of the first network is a stored challenge/ 
■response pair /.authentication- scheme- and an au- 
thentication scheme of, the second network is a pri- 
mary, key/shared-. -secondary key authentication 
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-.generating a challenge/response pair from a 
key; : , . / ■ ^ ■•■ - 

transmitting the challenge/response pair.to an 
intermediany in the first network; ? 



authenticating the user-based on the challenge/ 
esponse pair. 



21. The method of claim 20, wherein the key is a sec- 
ondary key generated from, a primary key. 

22. The method of claim 20 ; wherein the user is a mo- 
bile telephone subscriber. , . 

23.. The method ofclaim 20, wherein the first network 
■ isan IS-41 network,. the. second network is a Global 
System for Mobiles (GSM) network, and the authen- 
tication data base is a home location register in the 
IS-41 network. 

24. fThe method of claim J20, wherein an authentication 

scheme of the^first network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of-the second network is a pri- 
mary- key/shared secondary key authentication 
scheme. ; . > ' : ./ h. ■■ ! ■ v ■ 

25. An interface for authenticating, a user from a; first 
network when the user is in a second network, hav- 
ing a different authentication scheme from the first 
network, said interface comprising: 

- ' -!■■■ i: c.f . .- v.- . : ::<■ 

a message containing a;: challenge/response 
pair from an authentication data base in the first 
network to an' intermed'ary in the second net- 
work. 



20. ..A ; method for'.authenticating a user from a. first.net- 



26. The interface of claim 25, whereinthe user is a mo- 
bile telephone subscriber..-, j ■ 

27. The interface ot claim; 25,' wherein the first network 
is a Global System fcnMobtles (GSM) network, the 
second.network is an IS.-.41 network, the authenti- 
cation data base is a home location register in the 
GSM network, 1 and the inte rmediary is a visiting lo- 
cation register irv.the. IS-41 netvrork. . 

28. The interface of claim 25, wherein an authentication 
scheme cf the first network is a stored challenge/ 

i response pair . authentication ;scheme and an au- 
thentication scheme of the^second network is a pri- 
mary key/shared secondary ^key authentication 
scheme. 
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29. The. interface of claim 25, wherein the first network 
is-an-IS-41 network,- the second network is a Global 
System for Mobiles (GSM) network; the^aUtheritica- 
tion data base is a home location register in the IS- 
41 network, and the intermediary" is a' visiting loca- 5 
tion register in the GSM network. 

30. The interface of claim 25, wherein an authentication 
scheme of the first network is a primary key/shared 
secondary key authentication scheme and an au- io 
thentication scheme of the ^second network is a 
stored challenge/response pair- authentication 
scheme. 

t ■* . : : 

31. An interface for authenticating a -user >from a first '5 
network when the user is in a second network, hav- 

mq h dittcrent authentication scheme from the first 
network said interface comprising: 

■ n message containing a chalJenge-from an in- '"-20 ■ 
.1'i.MniuuWy in the first network to the user and 
' response from threoiser- to the intermediary in 
the hrst network.' :o-:L' ^ 

32. The interlace of claim 31 , wherein the user is a user 25 
idontrt> modulo (UIM) of a mobile telephone and the ' '-"» 
m to -mod wry is 'a visiting location register. ' r - r - 

33. -The miorlHce of claim 32, Wherein the first network 

■ is m IS -41 j network' and the second network- is a 30 
Global System for Mobiles (GSM) networks -' !: 

34. The 7 interface of clajm 32 ;>where in thefiFSt network - 
is a Global- System for Mobiles (GSM)- network and 

the second network ; is'an IS-41 n'etwork. 35 

35. The interface of claim 31 , wherein the message fur- 
ther contains.a' random'number chatfengefrom the 
-intermediary in. the. first network 16 the User from 
which' the user can generate'a key. "* ' l ' -*o 

36. The interface of claim 35, wherein the user is a user 
-identity module (UIM) of a mobile telephone and the 

intermediary is a visiting location register. 

45 

37. 7he ; interface of claim 35, -Wh'erein the first network - 
. : is-an IS-41 network and the^second netwonVis a 
Global Syslem for-Mobiles (GSM) network-. r 

38. The interface of claim 35, .wherein theflrst network so 
is a Global System for Mobiles (GSM)J network and 

the second network is an IS-41 network. 



39, An intermediary for authenticating a user froima first 
network when the user is^in a second network, hav- 55 
ing a-different authentication scheme from the first 
network; said intermediary comprising: * * • 



; * a receiving element for- receiving a-challehge/ 
response pair from an authentication data base 
in the first network; ~ ; 1 i: - 

: ~ ■• a generating element for generating a key from 
" the challenge/respbhse'pa'ir;*- '- ^ ! - " 

an authenticating element A or authenticating 
the user based on the key. , 

40. The method of claim 3&, wherein the 'key is a sec- 
ondary key generated from a-primary'key." - 

41. The method of claim 39, wherein the user is a mo- 
bH&telephone subscriber;- 1 ' ~ v =v 

42. The intermediary :of claim' 39, wherein" Ih'e first 'net- 
work is a Global Systems for Mobiles (GSM) net- 
work;ahe second network rs ah IS : 41 network; the 
authentication data: base- in 'the first network' is a 
home location . register in the GSM network, and the 

^•intermediary is a'visiting location register irv the j IS- 
'41snetwork. * ' ■ - ■*' 1 1 ■ " ~--r er 

43. The method of claim 39, wherein an authentication 
scheme of the first network is a'stored challenge/ 
response pair' authentication scheme 'and an •au- 
thentication* scheme of the second network is a'pri- 
mary key/shared secondary 'key authentication 
scheme. 

: t . I. " '' - 1 >'j" 'V.". '- 

44. An authentication database from^facilitating au- 
thentication of a user from a first network when the 
user is irva second network, having a 1 different au- 
thentication scheme from the first network; "said lo- 
cation register comprising: 

a generating element for generating a chal- 
lenge/ response pair from a key; r ' ' v 

a transmitting element for transmitting the chal- 
lenge/res ponsev pair to ah 'intermediary >ih the 
first network which^authenticates nhe user 
based on the challenge/response pair. 

45: The authentication data bas»"o'nfclaim 44,-wherein 
the keyis a secondary key generated from r a~p'firha- 
ry key. . ' . ' ■ ~* ■ -t. ; ~' ■ i. o i! . .. 

■_ ^ " '* r 

46. The authentication data base of claim 44, wherein 
the user is a mobile teteptione' subscriber. " - 

. -'. /'j'-v^-trf .V."-i * ■ ". . - 

47. The authentication data ba6^6f i claim ) 44; wherein 
-the first network is a Gtbbal^Sy^tem ^for Mobiles 
. (GSM) network, the second networks' an iS-4.1 net- 
work, the intermediary in the first network is'a visit- 
ing location register in the GSM network, and the 
authentication data base is a home' location register 
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in the IS-41 network. 

48. The method of claim 44, wherein an authentication 
scheme of the first network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of the second network is a pri- 
mary key/shared secondary key authentication 
scheme. 

t 
t 

49. An intermediary for authenticating a user from a first 
network when the user is in a second network, hav- 
ing a different authentication scheme from the first 
network, said intermediary comprising: 

a receiving element for receiving a challenge/ 
response pair from a an authentication data 
base in the second network, which generated 
the challenge/response pair from a key; and 

an authenticating element for authenticating 
the user based on the challenge/response pair. 

50. The "method of claim 49, wherein the key is a sec- 
ondary. key. gene rated from a primary, key 

/ . 

51. The method of claim 49, wherein the user is a mo- 
bile telephone subscriber. 

52. The intermediary, of claim 49, wherein the first net- 
work is a Global System for Mobiles (GSM) network, 
the-second networkis an IS-41 network, the authen- 
tication data base is a home location register in the 
IS-41 network, and the intermediary's a visiting lo- 
cation register iri the GSM network. 

53. The method of claim 49, wherein an authentication 
scheme of the first network is a stored challenge/ 
response pair authentication scheme and an au- 
thentication scheme of the second network is a pri- 
mary key/shared secondary key authentication 
scheme. 

54. An authentication data base for facilitating authen- 
tication of a user from a first network.when the user 
is in a second network, having a different authenti- 
cation scheme from the first network, said location 
register comprising: rf. 

a generating element for generating a key -from 
a challenge/response" pair; 

a transmitting element for transmitting the key 
to an intermediary in the second network which 
authenticates the user based on the key. 

55. The authentication data base of claim 54, wherein 
the key is a secondary key gnerated from a primary 
key. 
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56. The authentication data base of claim 54, wherein 
the user is a mobile telephone subscriber. 

57. The authentication data base of claim 54, wherein 
5 the first network is a Global System for Mobiles 

(GSM) network, the second network is an IS-41 net- 
work, the intermediary is a visiting location register 
in the IS-41 network, and the authentication data 
base is a home location register in the GSM net- 
10 work. 

I! 

; 58. The authentication data base of claim 54, wherein 
? an authentication scheme of the first network is a 
stored challenge/response' pair - authentication 
is ' scheme :and,'an authentication scheme of the sec- 
ond network is a primary key/shared secondary key 
authentication scheme. * 
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utilize different authentication schefvres-The authenti- 
cation interoperability function (AIF)'and- method trans r 
late between the authentication schemes of .each net- 
work; for example, a triplet-based network and a shared 



secret'data (SSD) network. When £jjserfrom a network 
that natively uses SSD authentication roams into a tri- 
plet-based network, the authentication interoperability 
function produces triplets from the current SSD. When 
a triplet user roams into an SSD network, the AIF pro- 
duces ;SSD frprrftrie triplet. ; t 
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